Audit Logs
Collects and ingests audit logs from the MuleSoft Anypoint Platform, providing visibility into user, organization, and application actions across Anypoint products such as Core Services, Runtime Manager, API Manager, and Exchange.
Sync Type: Incremental
Requirements
Before connecting Monad to MuleSoft Anypoint Platform, you need:
-
Anypoint Control Plane
- The control plane your organization is hosted on (US, EU, or US Government Cloud)
- This determines the base URL and the rate limit applied to the audit query endpoint
-
Organization ID
- The Anypoint organization (business group) ID whose audit logs you want to collect
-
Connected App (OAuth2 Client Credentials)
- A connected app configured for the Client Credentials grant type
- Client ID and Client Secret
- The app must be granted a scope/role that allows reading audit logs (e.g. Audit Log Viewer or Organization Administrator)
Control Plane Mapping
| Control Plane | Region Value | Base URL |
|---|---|---|
| United States | us | https://anypoint.mulesoft.com |
| Europe | eu | https://eu1.anypoint.mulesoft.com |
| US Government Cloud | gov | https://gov.anypoint.mulesoft.com |
Finding Your Organization ID
- Log in to Anypoint Platform as an administrator
- Navigate to Access Management > Organization
- Select your organization (business group)
- Copy the Organization ID (a UUID) from the organization details
Creating a Connected App
- Log in to Anypoint Platform as an administrator
- Navigate to Access Management > Connected Apps
- Click Create app
- Enter a name (e.g. "Monad Audit Logs")
- Select App acts on its own behalf (client credentials)
- Click Add scopes and grant a scope that permits reading audit logs (for example Audit Log Viewer, or Organization Administrator scoped to the relevant organization)
- Click Save
- Copy and securely store the Client ID and Client Secret
Monad exchanges these credentials for a bearer token via the client_credentials grant against /accounts/api/v2/oauth2/token, then queries /audit/v2/organizations/{organizationId}/query.
Configuration
The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.
Settings
| Setting | Type | Required | Description |
|---|---|---|---|
| Control Plane | string | Yes | The Anypoint Platform control plane to connect to. Determines the base URL and the audit query rate limit. Options: us (United States), eu (Europe), gov (US Government Cloud). Defaults to us. |
| Organization ID | string | Yes | The Anypoint organization (business group) ID whose audit logs are queried. Found in Access Management > Organization. |
| Backfill Start Time | string | No | The date to start fetching audit logs from, in RFC3339 format (e.g. 2024-01-01T00:00:00Z). If not specified, the connector fetches logs from the time it is created on a pipeline. |
| Use Synthetic Data | boolean | No | Generates demo audit logs for testing without connecting to MuleSoft. Useful for validating configuration without credentials. |
Secrets
| Secret | Type | Required | Description |
|---|---|---|---|
| Client ID | string | Yes | OAuth2 Client ID from your Anypoint connected app (client credentials grant). |
| Client Secret | string | Yes | OAuth2 Client Secret from your Anypoint connected app (client credentials grant). |
Rate Limits
The Anypoint Audit Log Query endpoint is rate limited per IP, and the limit depends on the control plane. If a client exceeds the limit, the endpoint returns a 503 Service Unavailable status until the minute expires.
| Control Plane | Allowed Requests per Minute per IP |
|---|---|
| US | 700 |
| EU | 40 |
| US Government Cloud | 40 |
The connector automatically paces its requests below the limit for the selected control plane and implements retry logic with backoff to handle throttling responses gracefully. See the Audit Log Query rate-limit policy for details.
Troubleshooting
Common Issues
1. Authentication Failures (401 Unauthorized / invalid_client)
Symptoms: Error message "invalid_client" or 401 Unauthorized when attempting to connect.
Causes:
- Client ID or Client Secret is incorrect
- The connected app was deleted or its secret was rotated
- Credentials contain extra whitespace
Solutions:
- Double-check that the Client ID and Client Secret are correct and copied without leading/trailing spaces
- Verify the connected app still exists in Access Management > Connected Apps
- Rotate the Client Secret if it may have been compromised, and update Monad with the new value
2. Permission Denied (403 Forbidden)
Symptoms: The connection authenticates but audit queries are rejected as forbidden.
Causes:
- The connected app does not have a scope/role permitting audit log access
- The app is not authorized for the specified organization
Solutions:
- In Access Management > Connected Apps, edit the app and add a scope such as Audit Log Viewer (or Organization Administrator) for the relevant organization
- Confirm the Organization ID matches an organization the app is scoped to
3. Wrong Control Plane
Symptoms: Authentication or query failures even though the credentials are valid.
Causes:
- The selected control plane does not match where your Anypoint organization is hosted
Solutions:
- Confirm whether your organization is on the US, EU, or US Government Cloud control plane and select the matching Control Plane value
- Cross-reference the base URL you use to log in to Anypoint with the Control Plane Mapping table above
4. No Audit Logs Appearing
Symptoms: The connector runs successfully but no audit logs are collected.
Causes:
- No audit events occurred during the specified time window
Backfill Start Timeis set to a recent time (logs are only generated as events occur)
Solutions:
- On the first sync without a
Backfill Start Time, the connector fetches logs from now onward - To collect historical logs, set
Backfill Start Timeto an earlier date - Verify that audit events are actually occurring in your Anypoint organization
5. Invalid Backfill Start Time
Symptoms: Validation error about the backfill time format.
Causes:
- Date not in RFC3339 format, invalid values, or a timestamp in the future
Solutions:
- Use RFC3339 format with timezone:
2024-01-01T00:00:00Z(UTC) or2024-01-01T00:00:00-05:00(with offset) - Verify the date is valid and not in the future
Related Articles
- Anypoint Audit Logging
- Audit Log Query API rate-limit policy
- Connected Apps
- Connected Apps — Client Credentials grant
Sample Record
Code